BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Don’t Be the Next Data Breach Target

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 17 Dec 2014 18:24:12 -0700
http://www.jdsupra.com/legalnews/dont-be-the-next-data-breach-target-64580/


As the much-publicized data breaches of the last year reveal, third parties
are often the gateway to an organization’s data. As repositories of vast
amounts of confidential client data in e-discovery, such as personally
identifiable information and trade secrets, law firms and their service
providers are third parties especially vulnerable to cyberattacks.

Ensuring the highest levels of security requires law firms to review
practices inside the firm as well as with its vendors, including providers
of managed e-discovery services. Although a priority of managed service
providers is information security, not all providers have the appropriate
expertise, investment, or resources to address potential threats. Thus,
before outsourcing discovery services, law firms should consider whether
their providers can pass the following eight-question security test:

1. What are the provider’s security certifications?
Look for ISO 27001 certification; law firms that handle global matters
should also check for U.S.-EU Safe Harbor certification. Additionally, ask
whether the provider has industry-specific certifications, such as for
HIPAA.
2. Does the provider use industry-standard data protection processes?
Mechanisms to look for include two-factor authentication and rigorous user
permissions processes.
3. What form of encryption does the provider use?
Ask your provider how it protects data while at rest and during
transmission, and check the level of encryption for cloud-based storage,
which should be at least 256-bit AES encryption.
4. What are the provider’s processes for conducting chain-of-custody audits?
Make sure the provider has defined processes that require documentation and
logging of all provider actions, including processing, loading, exporting,
and deleting data.
5. What are the provider’s safeguards against intrusion?
Determine whether the provider monitors and addresses suspicious activity
at the network, service, and application levels in real-time, 24/365.
6. What physical measures does the provider employ to protect data?
Review whether the provider offers 24/365 physical security and monitoring
for all data. Also, find out whether the provider requires zoned keycard
and biometric scanning for entry and whether it logs all access events.
Finally, check its protection against environmental damage and physical
disasters.
7. What are the provider’s disaster recovery, business continuity, and
incident response protocols?
Infrastructure redundancy should include a minimum of two copies of all
databases, servers, and storage, as well as fault-tolerant application
server clusters. The provider should also have a geographically diverse
secondary data center with real time back-up capabilities. Finally, the
provider should have—and follow—a procedure for regularly testing and
auditing these processes.
8. What processes does the provider use to screen and train employees?
Information security employees should have significant expertise in the
field. In addition, organizations should require all employees to undergo
background checks and sign nondisclosure agreements. The organization
should also conduct regular training on documented security policies and
procedures.

For law firms, a cybersecurity breach is not a matter of if, but when.
Therefore, to demonstrate compliance with their data-security obligations,
law firms must ensure that their managed services providers adhere to a
comprehensive security and incident response program. Choosing the right
managed services partner can offer law firms world-class security, threat
detection, and incident response capabilities for their most precious
asset: client data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: